Agents and Password Services

Contents
sm1252sp1
Contents
2
How to Configure FCC Password Services
To configure password services, follow these steps:
  1. Open the Administrative UI
  2. Create password policies that are associated with a user directory in your
    CA Single Sign-On
    environment. Use the following path in the Redirection URL field:
    /siteminderagent/forms/smpwservices.fcc
    For more information, see the Policy Server documentation.
Password Services Implementations
CA Single Sign-On
uses forms credential collectors (FCCs) to support password services.
Password services help you do the following tasks:
FCC Password Services and URL Query Encryption
The FCC Password Services application enables query data on the URL to be encrypted, further securing Agent interactions. You can only encrypt query data with FCC Password Services. FCC Password Services files include:
  • smpwservices.fcc
    This FCC is installed with the Web Agent and is located at:
    web_agent_home
    /samples/forms
    If Password Services is invoked and there is no password policy configured, the
    CA Single Sign-On
    Administrator at the Policy Server should set the environment variable NETE_PWSERVICES_REDIRECT to a relative path for smpwservices.fcc.
    The path is:
    /siteminderagent/forms/smpwservices.fcc
    The new FCC displays the Password Services form based on the FCC directives authreason and username.
  • smpwservices.unauth
    This file handles errors that occur during GET/POST actions of the Password Services forms.
    This file is similar to other FCC unauthorized files that are invoked if there is a failure processing the request during the POST. This FCC handles error conditions, such as an empty TARGET variable. The error reporting is intended to be synchronized with the CGI-based Password Services and for handling any other unknown errors caused by an FCC POST.
  • smpwservicesUS-EN.properties
    This properties file is used by smpwservices.fcc to display the user-friendly messages on the Password Services forms.
    This properties file has the user-friendly messages, which an administrator can modify depending on what he wants to display on the Password Services forms. The format for the message is name=value.
How to Localize FCC-based Password Services Change Forms
To localize the user messages for FCC-based Password Services for another locale follow these steps:
  1. Create an FCC folder on the web server for a new locale or use an existing folder if appropriate for your locale. The typical naming convention for the folder is forms
    locale.
    The directories and file names that are shown could be case-sensitive, depending on your operating environment and the type of web server in use.
  2. Place a copy of the relevant Password Services files in the new folder.
  3. Modify the files to accommodate the locale, such as changing the English messages to the language for your locale. Repeat this step with all the files for the locale.
  4. In the Administrative UI, change the value of the Redirection URL field in the Password Policy.
    For example, to use FCC Password Services for Japanese users, put a copy of the following files in the folder formsja, which is located in
    web_agent_home
    /samples:
    • smpwservices.fcc, located in
      web_agent_home
      /samples/forms
    • smpwservices.unauth, located in
      web_agent_home
      /samples/forms
    • A new properties file, smpwservicesja.properties
Use a Fully Qualified URL for Password Services Redirects
When you use password services you can instruct a Web Agent to create a fully qualified domain name (FQDN) to where users are redirected. Use the following parameter:
  • ConstructFullPwsvcUrl
    Instructs the agent to add the server name (FQDN) of the system that is hosing the password services before redirecting the user. You define this server name in the password policy on the Policy Server.
    For example, suppose that the value of this parameter is yes, and your password policy points to siteminderagent/forms/smpwservices.fcc. the Web Agent redirects to the following URL:
    HTTP://server_name.example.com/siteminderagent/forms/smpwservices.fcc
    The Web Agent uses the value that is defined in your password policy when the value of this parameter is no. For example, if your password policy only points to a subdirectory, the Web Agent redirects users to that subdirectory.
    Default:
    No.
    Example
    : No (redirects to the /siteminderagent/forms/smpwservices.fcc defined in your password policy).
    Example
    : Yes (adds HTTP://
    server_name
    .example.com to the /siteminderagent/forms/smpwservices.fcc defined in your password policy).
The default URL for password policies in the Administrative UI does
not
contain a server name. The Web Agent redirects users to whatever URL exists in the password policy when the value of the previous parameter is set to yes.
Use the examples in the following table as a guide for setting the ConstructFullPwsvcURl parameter:
To:
Add this URL to your password policy in the Administrative UI:
Set the value of the ConstructFullPwsvcURl to:
Host the password services on a specific server.
http://server_name.example.com:80/siteminderagent/forms/smpwservices.fcc
No
Host the password services on the same server as the Web Agent using a relative URL.
siteminderagent/forms/smpwservices.fcc
No
Host the password services on the same server as the Web Agent using an FQDN.
siteminderagent/forms/smpwservices.fcc
Yes
 
 
Configure SecureID Authentication with FCC Password Services
You must modify the SecureID HTML Form template using the Administrative UI if you are using SecureID as your authentication scheme and both of the following conditions exist in your environment:
  • The FCC Password Services feature is configured
  • The value of the SecureUrls parameter for the Web Agent is set to yes
SecureID is implemented using Password Services, which is why you must modify the authentication scheme's template.
To configure SecureID Authentication with FCC password services, add the path to the smpwservices.fcc file in the Target field of the SecureID template, as shown in the following example:
/siteminderagent/forms/smpwservices.fcc
How to Enable User-Initiated Password Changes with FCCs
You can configure the FCC Password services features of
CA Single Sign-On
to allow users to change their own passwords whenever they want.
Use the following process only if your
CA Single Sign-On
Web Agent configuration also has the value of the SecureURLs parameter that is set to no.
To enable user-initiated password changes with FCCs, use the following process:
  1. Confirm that your user directory contains attributes that support Password Policies.
  2. Use the Administrative UI to do the following tasks:
    1. Create an FCC-based password policy and protect the resources that you want.
    2. Configure the password policy to allow authorized users to change their passwords.
  3. Create a password change URL that includes the following parts:
    • The FQDN of the logon server (example: http:logonserver.example.com).
    • The URI of the FCC-based Password services (example: siteminderagent/forms/smpwservices.fcc?).
    • The name of the
      CA Single Sign-On
      Web Agent (SMAGENTNAME)
    • One
      of the following target URLs:
    • For password-change URLs embedded in FCC pages, use the relative values for the (SMAGENTNAME) and (TARGET) sections, as shown in the following example:
      < a href="http:logonserver.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON= 34&SMAGENTNAME=$$smencode(smagentname)$$&TARGET=$$smencode(target)$$">Change Password</font></a>
    • For password-change URLs
      not
      embedded in FCC pages, hard-code the name of your
      CA Single Sign-On
      Agent for the (SMAGENTNAME) section. Then hard-code a fully qualified domain name value for the (TARGET) section, as shown in the following example:
      < a href="http://logonserver.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=34&SMAGENTNAME=Agent1&TARGET=https://logonserver.example.com/protected/myprotectedpage.html">Change Password</font></a>
  4. Embed the password-change URL (from Step 3) as a link in one or more unprotected web pages.
  5. Test the password change function with the following steps:
    1. Display a web page that has the password change link you created in Step 3.
    2. Click the password change link.
      The password change form appears.
    3. Fill out the password change form and submit it.
      If the password change is successful, a confirmation page appears with a link to the protected target resource.
    4. Click the link and verify that the resource appears.
    5. Close and reopen your browser. Try to access the protected resource using your new password.
      If you can access the resource with your new password, the password change is successful.
How to Enable User-Initiated Password Changes with FCCs (SecureURLs=Yes)
You can configure the FCC Password services features of
CA Single Sign-On
to allow users to change their own passwords whenever they want.
Use the following process only if your
CA Single Sign-On
Web Agent configuration also has the value of the SecureURLs parameter that is set to yes.
To enable user-initiated password changes with FCCs, use the following process:
  1. Confirm that your user directory contains attributes that support Password Policies.
  2. Use the Administrative UI to do the following tasks:
    1. Create an FCC-based password policy and protect the resources that you want.
    2. Configure the password policy to allow authorized users to change their passwords.
    3. Set the value of the ValidTargetDomain parameter to the domain of the target resource you want to protect.
  3. Create a password change URL that includes the following parts:
    • The FQDN of the logon server (example: http:logonserver.example.com).
    • The URI of the FCC-based Password services (example: siteminderagent/forms/smpwservices.fcc?).
    • The name of the
      CA Single Sign-On
      Web Agent (SMAGENTNAME)
    • One
      of the following target URLs:
    • For password-change URLs embedded in FCC pages, use the relative values for the (SMAGENTNAME) and (TARGET) sections, as shown in the following example:
      < a href="http:logonserver.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON= 34&SMAGENTNAME=$$smencode(smagentname)$$&TARGET=$$smencode(target)$$">Change Password</font></a>
    • For password-change URLs
      not
      embedded in FCC pages, hard-code the name of your
      CA Single Sign-On
      Agent for the (SMAGENTNAME) section. Then hard-code a fully qualified domain name value for the (TARGET) section, as shown in the following example:
      < a href="http://logonserver.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=34&SMAGENTNAME=Agent1&TARGET=https://logonserver.example.com/protected/myprotectedpage.html">Change Password</font></a>
  4. Embed the password-change URL (from Step 3) as a link in one or more unprotected web pages.
  5. Open the following file on your web server:
    web_agent_home/samples/forms/smpwservices.fcc
    1. Locate the following line:
      @smpwselfchange=0
    2. Change the 0 (zero) at the end of the previous line to 1 (one), as shown in the following example:
      @smpwselfchange=1
    3. Save and close the smpwservices.fcc file.
  6. Embed the URL you created in Step 3 as a link in one or more unprotected web pages.
  7. Test the password change function with the following steps:
    1. Display a web page that has the password change link you created in Step 3.
    2. Click the password change link.
      The password change form appears.
    3. Fill out the password change form and submit it.
      If the password change is successful, a confirmation page appears with a link to the protected target resource.
    4. Click the link and verify that the resource appears.
    5. Close and reopen your browser. Try to access the protected resource using your new password.
      If you can access the resource with your new password, the password change is successful.
How to Enable User-Initiated Password Changes when using the
CA Single Sign-On
X.509 Certificate and Basic Authentication Scheme
You can configure the FCC Password services features of
CA Single Sign-On
to allow users to change their own passwords. The
CA Single Sign-On
X.509 Certificate and Basic authentication scheme requires a password-change URL that starts with the HTTPS protocol.
Follow these steps:
  1. Confirm that your user directory contains attributes that support Password Policies.
  2. Use the Administrative UI to do the following tasks:
    1. Create an FCC-based password policy and protect the resources that you want.
    2. Configure the password policy to allow authorized users to change their passwords.
  3. Create a password change URL that includes the following parts:
    • The HTTPS scheme (protocol).
    • The FQDN of the logon server (example: http:logonserver.example.com).
    • The URI of the FCC-based Password services (example: siteminderagent/forms/smpwservices.fcc?).
    • The name of the
      CA Single Sign-On
      Web Agent (SMAGENTNAME).
    • One
      of the following target URLs:
    • For password-change URLs embedded in FCC pages, use the relative values for the (SMAGENTNAME) and (TARGET) sections, as shown in the following example:
      < a href="https:logonserver.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON= 34&SMAGENTNAME=$$smencode(smagentname)$$&TARGET=$$smencode(target)$$">Change Password</font></a>
    • For password-change URLs
      not
      embedded in FCC pages, hard-code the name of your
      CA Single Sign-On
      Agent for the (SMAGENTNAME) section. Then hard-code a fully qualified domain name value for the (TARGET) section, as shown in the following example:
      < a href="https://logonserver.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=34&SMAGENTNAME=Agent1&TARGET=https://logonserver.example.com/protected/myprotectedpage.html">Change Password</font></a>
  4. Embed the password-change URL (from Step 3) as a link in one or more unprotected web pages.
  5. Test the password change function with the following steps:
    1. Display a web page that has the password change link you created in Step 3.
    2. Click the password change link.
      The password change form appears.
    3. Fill out the password change form and submit it.
      A confirmation page appears with a link to the protected target resource.
    4. Click the link and verify that the resource appears.
    5. Close and reopen your browser. Try to access the protected resource using your new password.
      If you can access the resource with your new password, the password change is successful.